Archives

ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.

This project was inspired by Ragpicker (https://github.com/robbyFux/Ragpicker, formerly known as “Malware Crawler”). However, ph0neutria aims to:

+ Limit the scope of crawling to only frequently updated and reliable sources.
+ Maximise the effectiveness of individual indicators.
+ Offer a single, reliable and well organised storage mechanism.
+ Not do work that can instead be done by Viper.

ph0neutria

What does the name mean? “Phoneutria nigriventer” is commonly known as the Brazillian Wandering Spider: https://en.wikipedia.org/wiki/Brazilian_wandering_spider

Sources
URL feeds:
– Malc0de.
– Malshare.
– VX Vault.

OSINT. If required, passive DNS is used to produce a list of recent IP’s for a domain, and VirusTotal queried for recent URL’s pertaining to the IP. Only one source may be queried at any one time so not to exceed VirusTotal API request limits. The resulting URL lists from each source are filtered by levenshtein distance to reduce the number of similar items, and are processed in their own thread.
+ AlienVault OTX.
+ CyberCrime Tracker.
+ DNS-BH.
+ Payload Security (Hybrid Analysis).
+ Shodan.
+ ThreatExpert.